Login Sign Up

CVE-2023-39643

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in the Bl Modules xmlfeeds PrestaShop module before version 3.9.8. Attackers can exploit the SearchApiXml::Xmlfeeds() component to execute arbitrary SQL commands, potentially compromising the database. All PrestaShop installations using vulnerable versions of this module are affected.

💻 Affected Systems

Products:
  • Bl Modules xmlfeeds PrestaShop module
Versions: All versions before 3.9.8
Operating Systems: Any OS running PrestaShop
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the xmlfeeds module to be installed and enabled in PrestaShop.

📦 What is this software?

Xmlfeeds Pro by Blmodules

View all CVEs affecting Xmlfeeds Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data theft, data manipulation, privilege escalation, or complete system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure, data manipulation, or authentication bypass through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and WAF protection blocking malicious SQL patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized; the specific component is accessible via API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.8

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/08/29/xmlfeeds.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'xmlfeeds' module. 4. Update to version 3.9.8 or later via the update button or manual upload.

🔧 Temporary Workarounds

Disable xmlfeeds module

all

Temporarily disable the vulnerable module until patching is possible.

WAF rule for SQL injection

all

Implement web application firewall rules to block SQL injection patterns targeting the SearchApiXml::Xmlfeeds() endpoint.

🧯 If You Can't Patch

  • Restrict network access to the PrestaShop instance to trusted IPs only.
  • Implement strict input validation and sanitization for all user inputs to the xmlfeeds module.

🔍 How to Verify

Check if Vulnerable:

Check the xmlfeeds module version in PrestaShop admin under Modules > Module Manager; if version is below 3.9.8, it is vulnerable.

Check Version:

No direct CLI command; check via PrestaShop admin interface or inspect module files for version metadata.

Verify Fix Applied:

Confirm the xmlfeeds module version is 3.9.8 or higher in the module manager after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • HTTP requests to xmlfeeds API endpoints with SQL-like payloads

Network Indicators:

  • HTTP POST/GET requests to paths containing 'xmlfeeds' with suspicious parameters

SIEM Query:

source="web_server" AND uri="*xmlfeeds*" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2023-39643
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: September 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39643, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)